Apple tries to stymie malware with changes to macOS Sierra's Gatekeeper

15.06.2016
Apple will further lock down what apps can be run on Macs when it releases macOS Sierra this fall, according to a Tuesday session at the company's developer conference.

The move is likely a response to revelations last year that Gatekeeper -- the feature and technology that restricts what applications can be run on a Mac -- could be easily bypassed by attackers to plant malware on machines. A patch Apple issued in October 2015 failed to fix the problem, contended the original researcher, Patrick Wardle, director of research with Synack, in January.

In Sierra, Gatekeeper will offer users just two options: Macs will install software downloaded from the Mac App Store, or applications that have been signed with certificates Apple provides free-of-charge to registered developers.

Previously, users could select an "Anywhere" option from the Preferences pane that let them install and run unsigned applications downloaded from outside the Mac App Store. That setting will disappear from macOS Sierra's Preferences.

"Anywhere" hasn't actually been pulled, said Simon Cooper, an Apple engineering manager, during a session at the Worldwide Developers Conference (WWDC) yesterday. An unsigned application downloaded from outside the Mac App Store can still be opened, sidestepping Gatekeeper, using a button that will appear in the Preferences pane, or the other techniques already available, such as right-clicking the app in the Finder and choosing "Open."

Essentially, Apple is eliminating the Anywhere option for the masses, but retaining a way for advanced users to continue to bypass Gatekeeper.

But Apple will also change how Gatekeeper treats suspect applications.

To prevent what Cooper called "the repackaging problem" and "repackaging attacks" -- where hackers try to mimic an actual app but bundle malicious code in external components delivered with the app -- macOS Sierra will randomize the location of the app on the drive, making it impossible for the malicious code to find it, then piggyback on it.

Applications that are delivered as unsigned disk images -- files that end with the extension ".dmg" -- and one of the most popular ways to deliver software outside the Mac App Store, will be subjected to this randomization.

To continue to support the .dmg delivery mechanism, but secure it, Apple will now let engineers sign disk images using the same free certificates generated for them as a registered developer.

macOS Sierra was released to developers earlier this week, and will enter public preview in July. Apple has not named a launch date for the production version, saying only that it would be this fall. In the past, Apple has traditionally upgraded its Mac operating system in October, although last year it shipped El Capitan in late September.

(www.computerworld.com)

Gregg Keizer